Challenge 10: Build a complete security architecture

The challenge: You conducted a pentest. You found 10-15 vulnerabilities. Pick your top 3-5 critical findings. Implement comprehensive remediations addressing all of them.

Your approach

Prioritise findings:

  • Which findings matter most?

  • Safety impact?

  • Operational impact?

  • Likelihood of exploitation?

  • Business impact?

Use a prioritisation framework:

Priority = (Safety × 2) + (Operational × 1.5) + (Likelihood × 1.5) + (Business × 1) / Remediation Feasibility

Choose 3-5 critical findings: Don’t try to fix everything. Focus on what matters most.

Examples:

  • Unauthenticated Modbus access to turbines

  • Anonymous SCADA access

  • No network segmentation

  • Missing safety system isolation

  • Lack of audit logging

Design comprehensive remediations: For each finding, design complete fix:

  • Technical controls (what to implement)

  • Process controls (procedures, change management)

  • Monitoring and detection (how to know if it’s working)

  • Incident response (what to do when it fails)

Implement defence in depth: Don’t rely on single control. Layer defenses:

  • Authentication (who are you?)

  • Authorisation (what can you do?)

  • Network segmentation (limit blast radius)

  • Monitoring (detect attacks)

  • Logging (forensics and audit)

Document trade-offs: Every remediation has costs. Document:

  • Implementation cost (time, money, effort)

  • Operational impact (what becomes harder?)

  • Performance impact

  • Maintenance burden

  • Limitations (what doesn’t this fix?)

  • Residual risk (what’s still vulnerable?)

Test comprehensively

Security testing:

  • Run your original attack scripts

  • Do they still work?

  • Can you find new bypasses?

  • Test each layer independently

Operational testing:

  • Can operators do their jobs?

  • What workflows changed?

  • What’s harder now?

  • What’s impossible now?

Failure scenario testing:

  • What happens when controls fail?

  • Authentication server down?

  • Firewall misconfigured?

  • Certificates expired?

  • Can operations continue?

Red team vs blue team: If you have others working on this:

  • Swap simulators

  • Try to break each other’s defences

  • Learn from what works

  • Learn from what fails

What you can learn

Prioritisation is hard:

  • Can’t fix everything

  • Resources are limited

  • Some things are unfixable

  • Risk acceptance is reality

Defence in depth works:

  • No single control is sufficient

  • Multiple layers catch what one misses

  • But complexity increases

  • More maintenance burden

Trade-offs are everywhere:

  • Security vs usability

  • Security vs operational flexibility

  • Security vs performance

  • Security vs cost

  • Every choice is a trade-off

Documentation matters:

  • Why did you choose these remediations?

  • What trade-offs did you accept?

  • What residual risks remain?

  • Future you will need this information

Perfection is impossible:

  • There’s always residual risk

  • Accept it, document it, monitor it

  • Focus on what matters most

Where to start

# Review your pentest findings
# List all vulnerabilities found

# For each vulnerability, assess:
# - Safety impact (1-5)
# - Operational impact (1-5)
# - Likelihood (1-5)
# - Business impact (1-5)
# - Remediation feasibility (1-5)

# Calculate priority scores
# Choose top 3-5

# For each chosen finding:
# - Design remediation (what controls?)
# - Estimate cost (time, money, effort)
# - Document trade-offs
# - Implement
# - Test
# - Document results

Example approach

Finding 1: Unauthenticated Modbus to turbines

Remediations:

  • Technical: IP whitelisting at firewall (only SCADA and engineering)

  • Technical: Deploy anomaly detection for abnormal Modbus traffic

  • Technical: Integrate logging for all Modbus writes

  • Process: Change management for firewall rules

  • Monitoring: Alert on Modbus connections from non-whitelisted IPs

  • Incident response: Procedure for investigating unauthorised access attempts

Trade-offs:

  • Cost: 16 hours implementation, minimal financial cost

  • Operational impact: Vendor remote access requires firewall change

  • Performance: None (firewall rules are fast)

  • Maintenance: Need to update whitelist when systems change

  • Limitations: Doesn’t authenticate, just restricts source IPs (can be spoofed on local network)

  • Residual risk: Insider or compromised HMI still has full access

Testing:

  • From unauthorised IP: Access blocked ✓

  • From SCADA: Access works ✓

  • From compromised HMI: Still works (residual risk) ✗

  • Anomaly detection catches unusual writes ✓

Finding 2: Anonymous SCADA access

Remediations:

  • Technical: Enable OPC UA authentication (see Challenge 1)

  • Technical: Generate and deploy certificates

  • Technical: Integrate authorisation checks

  • Process: Certificate lifecycle management procedures

  • Monitoring: Log all authentication attempts

  • Incident response: Procedure for handling compromised certificates

Trade-offs:

  • Cost: 40 hours implementation, €5,000 for certificate management

  • Operational impact: All clients need certificates, HMI reconfiguration

  • Performance: ~10ms latency increase per connection

  • Maintenance: Certificate renewal every year

  • Limitations: Doesn’t encrypt data, just authenticates (see Challenge 7 for encryption)

  • Residual risk: Compromised client certificate still grants access

Continue this for each priority finding…